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ABSTRACT 

The problem of checking a logged event trace against a tem¬ 
poral logic specification arises in many practical cases. Un¬ 
fortunately, known algorithms for an expressive logic like 
MTL (Metric Temporal Logic) do not scale with respect to 
two crucial dimensions: the length of the trace and the size 
of the time interval for which logged events must be buffered 
to check satisfaction of the specification. The former issue 
can be addressed by distributed and parallel trace checking 
algorithms that can take advantage of modern cloud com¬ 
puting and programming frameworks like MapReduce. Still, 
the latter issue remains open with current state-of-the-art 
approaches. 

In this paper we address this memory scalability issue by 
proposing a new semantics for MTL, called lazy semantics. 
This semantics can evaluate temporal formulae and boolean 
combinations of temporal-only formulae at any arbitrary 
time instant. We prove that lazy semantics is more expres¬ 
sive than standard point-based semantics and that it can be 
used as a basis for a correct parametric decomposition of any 
MTL formula into an equivalent one with smaller, bounded 
time intervals. We use lazy semantics to extend our previous 
distributed trace checking algorithm for MTL. We evaluate 
the proposed algorithm in terms of memory scalability and 
time/memory tradeoffs. 

1. INTRODUCTION 

Software systems have become more complex, distributed, 
and increasingly reliant on third-party functionality. The 
dynamic behavior of such systems makes traditional design¬ 
time verification approaches unfeasible, because they cannot 
analyze all the behaviors that can emerge at run time. For 
this reason, techniques like run-time verification and trace 
checking have become viable alternative for the verification 
of modern systems. While run-time verification checks the 
behavior of a system during its execution, trace checking is 
a post-mortem technique. In other words, to perform trace 
checking one must first collect and store relevant execution 
data (called execution traces or logs) produced by the sys¬ 
tem and then check them offline against the system specifi¬ 
cations. For example, this activity is often done to inspect 
server logs, crash reports, and test traces, in order to ana¬ 
lyze problems encountered at run time. More precisely, trace 
checking^ is an automatic procedure for evaluating a formal 

‘This work has been partially supported by the National 
Research Fund, Luxembourg (FNR/PlO/03). 

^Also called trace validation [22] or history checking [16]. 


specification over a trace of recorded events produced by a 
system. The output of the procedure is called verdict and 
states whether the system’s behavior conforms to its formal 
specification. 

The volume of the execution traces gathered for mod¬ 
ern systems increases continuously as the systems become 
more and more complex. For example, a hourly page traffic 
statistics for Wikipedia articles collected over a period of 
7 months amounts to 320GB of data [25]. This huge vol¬ 
ume of trace data challenges the scalability of current trace 
checking tools [7,15,17,23,24], which are centralized and 
use sequential algorithms to process the trace. One possible 
way to efficiently perform trace checking over large traces is 
to use a distributed and parallel algorithm, as done in [3,5] 
and also in the previous work [9] of some of the authors. 
These approaches rely on the MapReduce framework [13] to 
handle the processing of large traces. MapReduce is a pro¬ 
gramming model and an underlying execution framework 
for parallel and distributed processing of large quantities of 
data stored on a cluster of different interconnected machines 
(or nodes). In [9] we proposed a MapReduce algorithm that 
checks very large execution traces against formal specifica¬ 
tions expressed in metric temporal logic (MTL); the algo¬ 
rithm exploits the structure of the formula to parallelize its 
evaluation. 

MTL [18] is a class of temporal logic used for the specifica¬ 
tion and verification of real-time systems. It extends the well 
known Until” temporal operator of the classical LTL with 
an interval that indicates the time distance within which the 
formula must hold. For example, property “It is always true 
when a student accesses a homework assignment, he/she can 
provide or modify the answer within a week before a profes¬ 
sor revokes the access. ” is expressed as: 

G(access —> (can_write V can_modify)U(o,604800000]revoke) 

where operator U (called “ Until”) states that its right operand, 
the revoke event, must occur within a week (i.e., 604 800 000ms, 
assuming a millisecond granularity in the log) from the mo¬ 
ment of access (expressed by the access event). It also states 
that the left operand must be continuously true until that 
happens. Operator G (called “Globally”) simply states that 
property holds over the whole trace. In this logic, time can 
be expressed either as integer or real time-stamps, corre¬ 
sponding, respectively, to its discrete-time and continuous¬ 
time variants. MTL specifications may express properties 
that refer to different parts of the trace or to large portions 
of the trace at once by using large time intervals. In the 
example above, to check if the “ Until” subformula holds in a 



single position of the trace, the algorithm needs to consider 
a portion of the trace corresponding, in the worst case, to a 
whole week of logged data. For the whole formula, this pro¬ 
cess needs to be performed for every position in the trace 
because of the outer ^^Globally" operator. More generally, 
trace checking algorithms scan a trace and typically buffer 
the events that satisfy the temporal constraints of the for¬ 
mula. The buffer is incrementally updated as the trace is 
scanned and the algorithms incrementally provide verdicts 
for the positions for which they have enough information 
(to determine the verdict). In [24] the authors state that 
the lower-bound for memory complexity of trace checking 
algorithms is exponential in the numeric constants occurring 
in the MTL formula encoded in binary. Therefore the strat¬ 
egy of buffering events creates a memory scalability issue for 
trace checking algorithms. This issue also affects distributed 
and parallel solutions, including our previous work [9]. More 
specifically, the memory scalability of a trace algorithm on 
a single cluster node depends exponentially on the numeric 
constants defining the bounds of the time intervals in the 
MTL formula to be checked. 

The goal of this paper is to address this memory seal- 
ability issue by proposing a trace checking algorithm that 
exploits a new semantics for MTL, called lazy semantics. 
Unlike traditional point-based semantics [18], our lazy se¬ 
mantics can evaluate temporal formulae and boolean com¬ 
binations of temporal-only formulae at any arbitrary time 
instant, while it evaluates atomic propositions only at time- 
stamped positions of the trace. We propose lazy semantics 
because it possesses certain properties that allow us to de¬ 
compose any MTL formula into an equivalent MTL formula 
where the upper bound of all time intervals of its tempo¬ 
ral operators is limited by some constant. This decomposi¬ 
tion plays a major role in the context of (distributed) trace 
checking of formulae with large time intervals. In practice, 
if we want to check a formula with a large time interval, ap¬ 
plying the decomposition entails an an equivalent formula, 
with smaller time intervals. We can then use our new trace 
checking algorithm that applies lazy semantics and checks 
the new formula in a more memory-efficient way. 

We show that our proposed semantics does not hinder 
the expressive power of MTL: in fact we prove that MTL 
interpreted over lazy semantics is strictly more expressive 
than MTL interpreted over point-based semantics. In other 
words, any MTL formula interpreted over point-based se¬ 
mantics can be rewritten using an MTL formula interpreted 
over lazy semantics. Moreover, there are MTL formulae in¬ 
terpreted over lazy semantics that do not have an equivalent 
formula that can be interpreted over point-based seman¬ 
tics. We have integrated lazy semantics and the modified 
distributed trace checking algorithm into our MTLMapRe- 
DUCE tool [19], implemented using the Apache Spark frame¬ 
work. The evaluation shows that the proposed approach can 
be used to check formulae that use very large time intervals, 
on very large traces, while keeping a low memory footprint. 
This footprint is compatible with the available configuration 
of common cloud instances. Moreover, our tool performs 
better, in terms of memory scalability, than state-of-the-art 
tools. We have also assessed the time and memory tradeoffs 
of the algorithm when different decomposition parameters 
are used. 

In summary, the specific contributions of this paper are: 
1) A new semantics for MTL, called lazy semantics] we prove 


that it is strictly more expressive than point-based seman¬ 
tics. 2) A parametric decomposition of MTL formulae into 
MTL formulae where the upper bound of all time intervals is 
limited by some constant; 3) A new trace checking algorithm 
that exploits lazy semantics and parametric decomposition, 
to check MTL formulae in a memory-efficient way; 4) The 
evaluation of the proposed algorithm in terms of memory 
scalability and time/memory tradeoffs. 

The rest of the paper is structured as follows. Section 2 
briefly introduces MTL interpreted over point-based seman¬ 
tics and the MapReduce programming model. Section 3 
overviews our approach and motivates the need for lazy se¬ 
mantics and the parametric decomposition of MTL formulae. 
Lazy semantics is introduced in Section 4. Section 5 de¬ 
tails the parametric decomposition of MTL formulae. Sec¬ 
tion 6 introduces our distributed trace checking algorithm 
that supports lazy semantics. Section 7 reports on the evalu¬ 
ation of our implementation. Section 8 surveys related work, 
while Section 9 concludes the paper. 

2. PRELIMINARIES 

2.1 Point-based Semantics for MTL 

Let I be any non-empty interval over N and let 11 be a 
finite set of atomic propositions (or atoms). The syntax of 
MTL is defined by the following grammar, where p G If and 
U/ is the metric “Until” operator: <f) ::= p j -^(f> \ (j>\/(j> \ (l>Ui<p. 
Additional boolean operators and temporal operators can be 
derived using the usual conventions: “Eventually” is defined 
as Fi(j> = T\Ji4>] “Globally” is defined as G[(f> = 

We adopt the convention that an interval of the form [i, i] is 
written as “= i”. The interval [0, -|-oo) in temporal operators 
is omitted for simplicity. We introduce the following short¬ 
hand notation: F*'(<(>) = FF... F(((>), with F®((()) = cjj. Here- 

K times 

after we refer to point-based semantics for MTL as MTLp 
semantics. 

MTLp semantics. We focus on the finite-word semantics 
of MTL, since we apply it to the problem of trace check¬ 
ing. A timed sequence r, of length jr] > 0, is a sequence 
ToTi . . of values r; G K such that 0 < r* < Ti+i for 

each 0 < f < |t| — 1, i.e., the sequence is strictly monotonic. 
A word a over the alphabet 2^ is a sequence 
such that (Ji G 2^ for all 0 < i < jerj, where jerj denotes the 
length of the word. A timed word [1] co = uiouJi .. . is 

a word over 2^ x M, i.e., a sequence of pairs uJi = (ai,Ti), 
where uo ... is a word over 2^ and ro . .. r|„|_i is a 

timed sequence. A pair coi is also called an element of the 
timed word. Moreover, notice that in this definition i refers 
to a particular position of the element u!i in the timed word 
cj, while Ti refers to the time instant or time-stamp of the 
element oJi. We abuse the notation and represent a timed 
word equivalently as a pair containing a word and a timed se¬ 
quence of the same length, i.e., ai = (cr, r). A timed language 
over 2^ is a set of timed words over 2^. MTLp semantics on 
timed words is given in Figure 1, where the point-based sat¬ 
isfaction relation is defined with respect to a timed word 
(ct, r), a position i G N, and MTL formulae (j) and i/). Note 
that, due to the strictly monotonic definition of the timed 
sequence r, the metric “Next” operator can be defined as 
X/<(> = _LU7 _{o}0. Lp{(f)) is a timed language defined by a 
formula (f) when interpreted over the MTLp semantics, i.e., 
Lp(<i>) = {(o-,r) I (cr,T,0) |=p <(>} 



{a, T, i) p iff p G (Ji for p G If 
{cr,T,i) |=p ^(j> iff (cr, r, i) ^p 0 

\=p (pV Ip iff (a, T,i) |=p 0 or (a, r, i) \=p ip 
|=p (pUiip iff 3j.(i < j < |(t| and tj — ri G / and 
(a, T,j) |=p Ip and Vfc.(i < k < j then {a, r, k) \=p tp) 

Figure 1: MTLp semantics on timed words. 


2.2 The MapReduce programming model 

MapReduce [13] is a programming model, developed by 
Google, for processing and analyzing large data sets using 
a parallel, distributed infrastructure. The MapReduce pro¬ 
gramming model uses two user-defined functions, map and 
reduce, that are inspired by the homonymous functions that 
are typically found in functional programming languages. 
The map function receives a key-value pair associated with 
the input data and returns a set of intermediate key-value 
pairs; its signature is map(k:Ki, v: Vi) : list [(k:K 2 , v: V 2 )] . 
The reduce function is applied to all the intermediate values 
that have the same intermediate key in order to combine the 
derived data appropriately; its signature is reduce (k: K 2 , 
list (v:V 2 )): list [v:V 2 ] . In the definitions above, Ki and 
K 2 are types for keys and Vi and V 2 are types for values. 

Besides the actual programming model, MapReduce is 
also a framework that provides, in a transparent way to de¬ 
velopers, parallelization, fault tolerance, locality optimiza¬ 
tion, and load balancing. The MapReduce framework is 
responsible for partitioning the input data, scheduling and 
executing the Map and Reduce tasks (also called mappers 
and reducers, respectively) on a cluster of available nodes, 
and for managing communication and data transfer (usu¬ 
ally leveraging a distributed file system). More in detail, 
the execution of a MapReduce operation (called job) pro¬ 
ceeds as follows. First, the system splits the input into 
blocks^ of a certain size using an InputReader, generating 
input key/value pairs. It then assigns each input block to 
mappers, which are processed in parallel by the nodes in the 
distributed architecture. A mapper reads the corresponding 
input block and passes the set of key/value pairs to the map 
function, which generates a set of intermediate key/value 
pairs. Notice that each run of the map function is state¬ 
less, i.e., the transformation of a single key/value pair does 
not depend on any other key/value pair. The next phase is 
called shuffle and sort: it takes the intermediate data gen¬ 
erated by each mapper, sorts them based on the intermedi¬ 
ate data generated from the other nodes, divides these data 
into regions to be processed by reducers, and distributes 
these data on the nodes where the reducers will be executed. 
The division of intermediate data into regions is done by a 
partitioning function, which depends on the (user-specified) 
number of reducers and the key of the intermediate data. 
Each reducer executes the reduce function, which produces 
the output data. This output is appended to a final output 
file for this reduce partition. The output of the MapReduce 
job will then be available in several files, one for each used 
reducer. Multiple MapReduce calls can be linked together 
in sequence to perform complex data processing. 

^Also called input splits or chunks. 
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Figure 2: Evaluation of formula $ = Fp 7 ](p). 


3. MOTIVATION AND OVERVIEW OF THE 
APPROACH 

As mentioned in Section 1, trace checking is an automatic 
procedure for evaluating a formal specification over a trace 
of recorded events produced by a system. Since traces can 
be seen as a sequence of time-stamped elements (where each 
element records one or more events), we use timed words as 
abstract models of traces. Hence, a pair cJi = {cri,Ti) corre¬ 
sponds to the i-th element of the trace, where cri represents 
all the event(s) with time-stamp n. 

Trace checking algorithms handle metric temporal oper¬ 
ators by buffering elements of the trace. The time interval 
specified in the metric temporal formula to check determines 
the portion of the trace that needs to be considered to de¬ 
cide whether the formula is true in a single position of the 
trace. Depending on the particular MTL formula that is 
being checked, in the worst case this process needs to be 
repeated for every position in the trace^. What trace check¬ 
ing algorithms typically do is to keep the relevant portion 
of the trace in a buffer as they scan the trace. The buffer 
is updated incrementally while the algorithm scans and pro¬ 
duces verdicts for the following elements in the trace. The 
procedure for updating the buffer consists of adding a newly- 
scanned element e of the trace and removing the elements 
whose time-stamps do not satisfy the temporal constraint 
of the formula to check, when evaluated with respect to the 
time-stamp of e. Buffering elements presents a memory seal- 
ability issue if a metric temporal formula with a large inter¬ 
val needs to be processed. Let us present an example to 
motivate the need for lazy semantics. 

Example 1. Consider formula^ = Fj^^^’Y]{p) audits eval¬ 
uation on the following trace (represented as a timed word): 
{{p},l), ({p},2), {{q},4), ({p,g},6), ({p,g},8), ({q},9), 
({g}, 10). The timed word, shown in Figure 2, is defined over 
the set of atoms H = {p, q}; its length is 7 and it spans over 
10 time units. The first two rows in the picture represent 
its atoms and time-stamps; the last two rows show, respec¬ 
tively, the evaluation of subformula p and formula F[ 3 ^ 7 ](p) 
using point-based semantics. As shown in the last row of Fig¬ 
ure 2, according to point-based semantics, formula F[ 3 ^ 7 ](p) 
holds at positions 1, 2 and 3. 

Eor a formula of the form F[„,i,](p), the algorithm needs to 
buffer, in the worst case (i.e., in case there exists an element 
in correspondence of every time instant), at most & -F 1 el¬ 
ements. Eor example, to evaluate formula F[ 3 ^ 7 ](p) at time 
instant 2, in the worst case the algorithm will buffer 8 ele¬ 
ments, i.e., all the elements whose time-stamp ranges from 
2 to 9. The elements with time-stamps ranging from 6 to 9 
satisfy the time interval constraint of the formula; the oth¬ 
ers are kept for the evaluation of the formula at subsequent 
positions. Let us assume that the execution infrastructure 

®Eor example, if a “Globally” temporal operator is used. 



could only store 5 elements in the buffer, for example be¬ 
cause of limited memory. The worst-case requirement of 
keeping 8 elements in the buffer would then be too demand¬ 
ing for the infrastructure, in terms of memory scalability. To 
lower the memory requirement for the buffer we would need 
a formula with a smaller time interval and expressing the 
same property as $. In other words, one might ask whether 
there is an MTL formula equivalent to <i> with all the inter¬ 
vals bounded by the constant 4 (and thus requiring to store 
at most 4+1=5 elements in the buffer). 

Let us consider formula <!>' = F[ 3 _ 4 ](p) V F[ 4 ^ 4 ](F[o, 3 ](p)): a 
naive, intuitive interpretation might lead us to think that 
it defines the same property as $. Roughly speaking, in¬ 
stead of checking if p eventually occurs within the entire 
[3, 7 ] time interval, <!>' checks if p either occurs in the [3,4] 
interval (as specified by subformula F [3 4 ](p)) or in the in¬ 
terval [0, 3] when evaluated exactly 4 time instants in the 
future (as specified by subformula F[ 4 _ 4 ] (F[q^ 3 ] (p))). Figure 3 
shows the evaluation of formula <!>' over the same trace used 
in Figure 2. As one can see, formula $' does not have the 
same evaluation as <i> on the same trace. More specifically, 
at time instant 1 $' is false while $ is true (see the val¬ 
ues circled in both figures). By analyzing the evaluation of 
<!>', one can notice that subformula F [4 4 ](F[o_ 3 ](p)) at time 
instant 1 refers to the value of F[o_ 3 ](p) at time instant 5, 
which does not have a corresponding element in the trace. 
If there was an element at time instant 5, F[o, 3 ](p) would be 
true since p holds at instant 6. 

The above example shows that the evaluation of temporal 
subformulae according to point-based semantics depends on 
the existence of certain elements in the trace. It also shows 
that point-based semantics is not suitable to support the in¬ 
tuitive decomposition of MTL formulae into equivalent ones 
with smaller time intervals, like the one from <I> to <!>' shown 
above. We maintain that this constitutes a limitation for 
the application of point-based semantics in the context of 
trace checking. Therefore, in this paper we propose a new, 
alternative semantics for MTL, called lazy semantics. 

The main feature of lazy semantics is that it evaluates 
temporal formulae and boolean combinations of temporal- 
only formulae at any arbitrary time instant, regardless of 
the existence of the corresponding elements in the trace. 
The existence of the elements is only required when evaluat¬ 
ing atoms. This features allows us to decompose any MTL 
formula into an equivalent MTL formula in which the upper 
bound of all time intervals of its temporal operators is lim¬ 
ited by some constant. Such a decomposition can be used as 
a pre-processing step of a trace checking algorithm, which 
can then perform in a more memory-efficient way. 

In the following sections we first introduce lazy semantics 
(Section 4) and formalize the notion of the decomposition 
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Figure 3: Evaluation of formula <!>' = F [3 4 ](p) V 
F[ 4 , 4 ](F[o, 3 ] (P))- 


(tj,T,t) \=L p iff 3i.(0 < i < |ct| and t = Ti and p G Ui) 
(ct, t, t) \=L -'0 iff (cr, r, t) (j> 

{a, T,t)\=L <t>y iff (cr, T, t) \=L (p or (cr, r, t) ip 
(cr, T,t) \=L (pyPiip iff 3^^(^^ > t and t' — t £ I and 
(cr, T, t') \=L Ip and 'it”.{t < t" < t' and 3i.(0 < f < |cr| and 
t" = Ti) then {a,T,t") \=l 4>)) 

Figure 4: MTLl semantics on timed words. 

exemplified above (Section 5). Afterwards, in Section 6 we 
describe the modifications to our previous trace checking al¬ 
gorithm [9], required to preprocess the formula and support 
lazy semantics. 

4. LAZY SEMANTICS FOR MTL 

The following example shows an anomalous case of MTLr 
semantics that lazy semantics for MTL (denoted as MTLl 
semantics) intends to remedy. Consider a timed word w = 
(cr, r) = ({g}, l)({p}, 7) . . . and two MTL formulae ipi : 
F=6P and ip 2 : F= 3 F= 3 p. The intuitive meaning of the two 
formulae is the same: p holds 6 time units after the origin, 
i.e., at time-stamp 7. However, when evaluated in the first 
position of w using the MTLp semantics, the two formulae 
have opposite values: ipi correctly evaluates to true, but ip 2 
to false, since in ip 2 the outermost F =3 subformula is triv¬ 
ially false, because there is no position that is exactly 3 time 
instants in the future with respect to the origin. The two 
formulae, instead, are equivalent under the MTLl seman¬ 
tics, where they both evaluate to true. Indeed, this is true 
also over signal-based semantics [11]; however, signals are 
not very practical for monitoring and trace checking, which 
usually operate on logs that are best modeled as a sequence 
of discrete time-stamped observations, i.e., timed words. 

MTLl semantics. MTLl semantics on timed words is 
given in Figure 4, in terms of the satisfaction relation \=l, 
with respect to a timed word (cr,T) = (cro, to)(c7'i, n)... 
and a time instant t G p is an atom and <p and ip 

are MTL formulae. An MTL formula (p, when interpreted 
over MTLl semantics, defines a timed language Ll{<P) = 
{((t, t)|((j, T, 0) \=L (p)- The main difference between MTLp 
and MTLl semantics is that MTLp evaluates formulae only 
at positions i of a timed word, while MTLl inherits a fea¬ 
ture of signal-based semantics, namely it may evaluate (non- 
atomic) formulae at any possible time instant t, even if there 
is no time-stamp equal to t. For example, according to the 
MTLp semantics, an “Until” formula <p = i/)iU /)/>2 evaluates 
to false in case there are no positions in the interval I, due to 
the existential quantification on j (see Figure 1). Conversely, 
under the MTLl semantics, the evaluation of cp depends on 
the evaluation of ip 2 . If the latter is an atom then formula (p 
also evaluates to false, because of the existential quantifier in 
the MTLl semantics of atoms. However, if ip 2 is a temporal 
formula or a boolean combination of temporal-only formulae 
(e.g., other “Until” formulae), it will be evaluated in the part 
of the timed word that satisfies the interval of (p. Hereafter 
we refer to the MTL formulae interpreted over the MTLl 
semantics as “MTLl formulae”; similarly, “MTLp formulae” 
are MTL formulae interpreted over the MTLp semantics. 

Let M(n) be the set of all formulae that can be derived 



from the MTL grammar shown in Section 2.1, using 11 as 
the set of atoms. We show that any language Lp((f>) de¬ 
fined using some MTLp formula 4> can be defined using an 
MTLl formula obtained after applying the translation I2p : 
M(n) — >■ M(n) to 4>, i.e., Lp((j>) = LL(l2p{(f>)) for any (j>. 
The I2p translation is defined as follows: 

I2p{p) = p,p e If; f2p(0V Ip) = I2p{4i) V I2p{ip) 

I2p{^(p) = -'Z2p(0); l2p{(pUitp) = l2p(cl))Ui('Pact A I2p{ip)) 

where (fact = a V for some a 6 If. 

The goal of I2p is to prevent the occurrence of the nest¬ 
ing of temporal operators, i.e., to avoid the presence of 
(sub)formulae like F^sF^sp. As discussed above in the ex¬ 
ample, nested temporal operators are interpreted differently 
over the two semantics. Nesting is avoided by rewriting the 
right argument of every “Until” (i.e., the “existential” com¬ 
ponent of “Until”). The argument is conjuncted with a for¬ 
mula Pact that evaluates to true (under both semantics) if 
there exists a position in the underlying timed word; oth¬ 
erwise (fact evaluates to false. To explain this intuition, let 
us evaluate pact over a timed word (cr, r) over the alphabet 
n = {a}. Under point-based semantics, (tj, r, f) |=p poct = 
(a, T, i) \=p aV-ia is true for any position i, since either a be¬ 
longs to cTi or not. However, the same does not hold for lazy 
semantics. According to lazy semantics, {cr,T,t) \=l >Pact is 
true only in those time instants t for which there exists i 
such that Ti = t and therefore exists the corresponding cn 
(to which a can belong or not). 

Lemma 1. Given an MTL formula <p and a timed word 
(jj = (cr, r), for any i >0, the following equivalence (modulo 
I2p translation) holds: {a,T,i) |=p 4> iff (e^MMi) \=l l‘ip{<P)- 

The proof of the lemma is in the appendix A. 

Theorem 1. Any timed language defined by an MTLp 
formula can be defined by an MTLl formula over the same 
alphabet. 

Proof. By Lemma 1, for i = 0. □ 

Notice that the translation I2p defines a syntactic MTL frag¬ 
ment where temporal or boolean combination of temporal- 
only operators cannot be nested. In this fragment MTLp and 
MTLl formulae define the same languages. However, if we 
consider the complete definition of MTL, without syntactic 
restrictions, the class of timed languages defined by MTLl 
formulae strictly includes the class of languages defined by 
MTLp formulae. In other words, MTL interpreted over lazy 
semantics is strietly more expressive than MTL interpreted 
over point-based semantics; this result is established by the 
following theorem. 


5. PARAMETRIC DECOMPOSITION 

In this section we show that lazy semantics allows for a 
parametric decomposition of MTL formulae into MTL formu¬ 
lae where the upper bound of all intervals of the temporal 
operators is limited by some constant K (the parameter of 
the decomposition). This structural characteristic will then 
be used in the trace checking algorithm presented thereafter. 

We first introduce some notation and show some proper¬ 
ties of lazy semantics that will be used to prove the correct¬ 
ness of the decomposition. We define the operator 0 over 
intervals in N such that I(BJ = {i + j\'ii El and j G J}. 

Lemma 2. For any timed word (a, r) and t > 0, 

(cr,T,t) \=L fiFjp iff{a,T,t) \=L fwj(p. 

Corollary 1. For any timed word [a, r) and t, N > 0, 
{cT,T,t) hi ^=K<P iff(<^,TU) Nl F=k.]V. 

Lemma 3. For any timed word (a, r) and t > 0, 

{a, T, t) \=L F/(^ y ^j<p iff (cr, T, t) \=L if In J ^9. 


The proof of the above corollary and lemmata is in the ap¬ 
pendix A. 

Hereafter, we focus on bounded MTL formulae, i.e., for¬ 
mulae where intervals are always finite. We present the para¬ 
metric decomposition by referring to the bounded “Eventu¬ 
ally” operator. The bounded “Until” and “Globally” oper¬ 
ators can be expressed in terms of the bounded “Eventu¬ 
ally” operator using the usual equivalences ; moreover, we 
remark that the decomposition does not affect atoms and 
is applied recursively to boolean operators. We use angle 
brackets (symbols “(” and “)”) in the definition of the de¬ 
composition to cover all four possible cases of open (denoted 
with round brackets) and closed (denoted with square brack¬ 
ets) intervals; the definition is valid for any instantiation of 
the symbols as long as they are consistently replaced on the 
right-hand side. 

The decomposition Ck of MTL formulae with respect to 
parameter K is the translation Ck '■ M(n) —>■ M(n) such 
that Ck(^( a,b)f) = 


f F(a,6)Uir(<)>) 


,b<K 


FL|^(F<amodK.6-L|.J.K)-CA(0)) ,K <b<[§+l\-K 

Fif {f=K{Vp{CK{P),K, 6 - Lf + IJ • m 
where 


Vf{iP,K, h) 


J Flo,h)ip ,h < K 

\F^o,K]f’yF=K{VF{^p,K,h- K)) ,h>K 


Theorem 2. There exists a timed language defined by 
some MTLl formula that cannot be defined by any MTLp 
formula. 

Proof. Consider the language of timed words {(tr, r) : 
3Gj{i < j A (a,T,i) \=l b A {(T,T,j) \=l c A Tj < 2)}. It is 
defined by the MTLl formula <I> = <I>i V <1>2 V <I> 3 , where <I>i = 
(F(o,i)^))A(F[i_2]c)V(F(o,i]6)A(F(i_2]c); $2 = F(o,i](&AF(o4]c) 
and <I >3 = F(o 1 ]((F(o,i)6) A (Fji ijc)). Formula <I> cannot 
be represented by any MTLp formula (see reference [11], 
prop. 6). □ 


The decomposition Ck considers three cases depending on 
the values of a, b, and K. In the first case we have b < K, 
which means that the upper bound of the temporal inter¬ 
val [a, b] in the input formula is smaller than K, therefore 
no decomposition is needed. The other two cases consider 
input formulae where b > K. The second case is charac¬ 
terized hy b < [§ + 1\ ■ K = b < [§\ ■ K + K. The 

decomposition yields a formula of the form (a), where 
= F[„ mod ir,6-L —J k]^a(<)>) is equivalent to the input for¬ 
mula F[a^6](()>) evaluated at time instant ■ K. Notice 



\F^k\ (|i^=K|(|^[a mod K. 

K]PV F^kI 
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Figure 5: Lk decomposition of formula F[„ 

that according to Corollary 1, the argument a in (a) 
is evaluated at time instant • K. The third case is char¬ 
acterized by 6 > ■ K. 

We illustrate the decomposition of F[„ ^jp with p G 11 by 
referring to the example In Figure 5, where the black squares 
divide the timeline into segments of length K. We refer to 
each position in the timeline pinpointed by a black square 
as a ff-position. The big brackets enclose the interval [a, 6] 
relative to time instant 0. Moreover, we assume some val¬ 
ues for a and K such that = 2; hence, in the figure 
the position of a in the timeline is between the marks corre¬ 
sponding to 2K and 3K. The application of CKi^[a,b]P) re¬ 
turns the formula F=k{F=k{Fi^ k,k]P'^ ■f’=ir(F[o,K]P V 
F=k(F[o ;,_^^_l_ 2 j.K]p)))), which is shown above the time¬ 
line, spanning through its length such that each subformula 
is written above the corresponding if-position where it is 
evaluated. Since = 2 there are two subformulae of 
the form evaluated in the first two if-positions. Un¬ 
like the previous case, the interval [a, 6] is too big to allow 
for rewriting the input formula into another formula with 
a single F operator with bounded length. Hence, we use 
three subformulae: 1) F[„n,odK]P evaluated at the third 
if-position, 2) F[o,k]P evaluated at the fourth if-position, 
and 3) F[o^i,_[jL+ 2 j.K]P evaluated at the fifth if-position; 
the last two sufeformulae are obtained from the definition 
of Vf- Notice that if if is set to be equal to one, the Ck 
decomposition boils down to the reduction of MTL to LTL. 

Theorem 3. Given an MTLl formula (j), a timed word 
{a, t) and a positive constant if, we have that: 

(cr,T,0) |=L iff (a, T,0) \=L Ck{4>) 

and the upper bound of every bounded interval in all temporal 
subformulae of C,k{4') is less than or equal to if. 

Proof. We can prove this statement by showing that 
Ck{4>) can always be rewritten back as (j> and vice versa 
using Lemmas 2 and 3. The complete proof is provided in 
the appendix. □ 

6. TRACE CHECKING MTLl FORMULAE 
WITH MAPREDUCE 

The theoretical results presented in Section 5 can be ap¬ 
plied to improve the memory scalability of the distributed 
trace checking algorithm based on MapReduce programming 
model, and introduced by some of the authors in previous 
work [9]. Although the algorithm presented in [9] was de¬ 
signed to perform trace checking of properties written in 
SOLOIST [10] (an extension of MTL with aggregating tem¬ 
poral modalities), here we consider, without loss of gener¬ 
ality (see [10]), only its MTL subset. In the rest of this 
section, after introducing some additional notation, we give 
an overview of the algorithm’s execution flow, and detail 
the modifications (emphasized with grey boxes in Figure 6) 


applied to the original algorithm defined in [9] to support 
MTLl semantics. 

Additional notation. Let (j> and be MTL formu¬ 
lae. The set of all proper subformulae of (f is denoted with 
sub(0); notice that for atoms p G H, sub(p) = 0. The size 
of a formula 4>: denoted \(f>\, is defined as the number of its 
non-proper subformulae, i.e. |(()| = |sub((())| + 1. The set 
sub„(:)>) = {p I p G sub((0), sub(p) = 0} is the set of atoms 
of formula <f>. The set subd(((>) = {o j o G sub((/)),V/3 G 
sub(0), a. ^ sub(/3)} is called the set of all direct subformulae 
of 4>', (j> is called the superformula of all formulae in sub^ (<(>). 
The set sup,^((()) = {o j o G sub('!/)), (() G subd(a)} is the 
set of all subformulae of i/> that have formula 4> as direct 
subformula. The height h{(j>) of cj> is defined recursively as: 

max{h{ip) I ■)/) G subti(0)} -|- 1 if 0 0 H, 

1 otherwise. 

For example, given the formula 7 = F[ 2 , 4 ](a A &)LI( 3 o,ioo)“'C, 
we have: sub( 7 ) = {a, b,c,a A b, -ic, F[ 2 , 4 ] (a A 6 )} is the set 
of all subformulae of 7; suba( 7 ) = {a,b,c} is the set of 
atoms in 7; subd( 7 ) = {F[ 2 , 4 ](a A b),^c} is the set of di¬ 
rect subformulae of 7; sup^(a) = sup.^(6) = {a A 6 } shows 
that the sets of superformulae of a and 6 in 7 coincide; 
and the height of 7 is 4, since h{a) = h{b) = h(c) = 1, 
h(-^c) = h(a A b) = 2, h{F[ 2 ,i]{a A 6 )) = 3 and therefore 
hl'y) = max{/i(F[ 2 , 4 ](a A 6 )), h 'i^c)} -|- 1 = 4. 

Overview. The algorithm takes as input a non-empty 
execution trace T and an MTL formula <1> and provides a 
verdict whether the trace satisfies the formula or not. Before 
the algorithm is used we assume that the execution infras¬ 
tructure, i.e., the cluster of machines, is configured and run¬ 
ning. We also assume that one can easily estimate through 
experimentation the largest time interval bound Aduster man¬ 
ageable by the cluster, i.e., the largest bound that does not 
trigger memory saturation. The bound Aduster depends on 
the memory configuration of the node in the cluster with the 
least amount of memory available. Once we have this infor¬ 
mation, we can preprocess the input formula <!>, leveraging 
the theoretical results of Section 5. If the temporal opera¬ 
tors in 4> have bounded intervals less than Aduster, we apply 
the unmodified version of the original algorithm [9], which 
evaluates formulae according to point-based semantics. Oth¬ 
erwise, we have to transform the original formula into an 
equivalent one that can be efficiently checked. This trans¬ 
formation is achieved by first interpreting the input formula 
(f> over lazy semantics: to preserve its meaning, we apply the 
I2p transformation. Afterwards, given the parameter Aduster, 
we rewrite the formula using the decomposition (i.e., 

the Ck decomposition instantiated with parameter Aduster) 
and obtain the formula (Z2p(<l>)). Thanks 

to Theorem 3, this formula contains intervals no greater than 
Aduster and is equivalent to ti>. 

The trace is modeled as a timed word, i.e., we have T = 
(o', t). We call oJi = (oi,ri) an element of the trace T at 
position i. It contains the set of atoms o; C H that hold 
at position i and an integer time-stamp r;. We assume that 
the execution trace is saved in the distributed file system of 
the cluster on which the distributed algorithm is executed. 
This is a realistic assumption since in a distributed setting 
it is possible to collect logs, as long as there is a total order 
among the time-stamp induced by some clock synchroniza¬ 
tion protocol. 

The trace checking algorithm processes the trace itera- 












tively, through a sequence of MapReduce executions. The 
number of MapReduce iterations is equal to the height of 
the MTL formula <I>. The first MapReduce iteration parses 
the input trace from the distributed file system, applies the 
map and reduce functions and passes the output (a set of 
tuples) to the next iteration. Each subsequent iteration re¬ 
ceives the set of tuples from the respective previous iteration 
in the expected internal format, thus parsing is performed 
only in the first iteration. A subsequent iteration I (where 
1 < f < h(<l>)) receives the set of tuples from the iteration 
I — 1. The set of tuples contains all the positions where the 
subformulae of <1) of height I — 1 hold. Note that the trace 
itself is a similar set, containing all the positions where the 
atoms (with a height 1) hold. Based on the set it receives, 
the Z-th iteration can then calculate all the positions where 
the subformulae of height Z hold. Each iteration consists of 
three phases: 1) read phase that reads and splits the input; 
2) map phase that associates each formula with its superfor¬ 
mula; and 3) reduce phase that applies the semantics of the 
appropriate subformula of <&. The final set of tuples repre¬ 
sents all the positions where the input MTL formula holds, 
thus producing the verdict is only a matter of checking if it 
holds in the first position. 

Read phase. The input reader component of the MapRe¬ 
duce framework is used in this phase; this component can 
process the input trace in a parallel way. The trace saved in 
a distributed file system is split into several blocks (usually 
64MB in size), replicated (usually 3 times) and distributed 
evenly among the nodes. The MapReduce framework ex¬ 
ploits this block-level parallelization both during the read 
and map phases. For example, the default block size of the 
Hadoop deployment is 64MB, which means that a 1GB trace 
is split in 16 parts and can be potentially processed using 
16 parallel readers and mappers. However, if we execute the 
algorithm on 3 nodes with 4 cores each, we could process 
up to 12 blocks in parallel. The input reader is used only 
in the first iteration and can be seen as a parser that con¬ 
verts the trace into a uniform internal representation that is 
used in the subsequent iterations. As shown in Figure 6a, 
the Z:-th instance of the input reader handles the fc-th block 
Tfc of the trace T. For each element (cr, r) in Tk and every 
atom p occurring in the MTL formula <1>, the reader outputs 
a key-value pair of the form (p, (p G n-, r)). The key is the 
atom p itself, while the value is a pair consisting of the truth 
value of p at time r (obtained by evaluating the expression 
p G (j) and the time-stamp r. 

Map phase. Each tuple generated by an input reader is 
passed to a mapper on the same node. Mappers associate 
the formula in the tuple with all its superformulae in <1>. For 
example, given <I> = (a A Z;) V -^a, if the input reader returns 
a tuple (a, (T, 42)), the mapper will associate it with formu¬ 
lae a A Z) and -lO, outputting the tuples (a A b, {a, T, 42)) and 
(-■a, (a, T, 42)). The mapper, shown in Figure 6b, receives 
tuples in the form {(j>, {v, r)) from the input reader and out¬ 
puts all tuples of the form {ip, {<p, v, r)) where ip G sup^(<(>). 

To support lazy semantics, the algorithm needs to consider 
all the positions in the trace where we want to evaluate the 
temporal operators. If any of these positions did not exist 
in the trace then the original algorithm would evaluate a 
formula to false (see the example in Section 4). However, 
to support lazy semantics, we do not need to introduce a 
position in the trace for each time instant: we know a priori 
that only formulae of the form f=K —explicitly introduced 


1: function Input reader^ I tl) 
2: for all (cr, r) € T’/e [] do 

3: for all p € suba(<S’) do 

4: output(p, (p € f, t)) 

5: end for 

6: end for 

7: end function 

(a) Input reader algorithm 


1: function Reducer^^ ^ {i/;, T[}) 

2: val -i- ±, win 0 

3: for all ((p, v, r) 6 | checkDup(T) | do 

4: win win U (<p, v, r) if (u) 

5: while \win'\T — [winj-r ^ 0 l+| / do 

6 : win •«— win \ argmax^ (win) 

7: end while 

8: val € {winy-r : — t ^ I 

9: output(')/), {val, r)) 

10: end for 

11: end function 


1: function Mapper^ ^ I ((4', ("f, t))) 
2: for all ->p € sup^((/>) do 

3: output('(/), {4>, V, r)) 

if Zazy('(/>) then 
output(t/;, ((Pact’ -*-,•»■ + K)) 
end if 


4: end for 

5: end function 

(b) Mapper algorithm 
1: function Reducer( t/;, T/J) 

2: val ■*— T, win •«— 0 

3: for all ((p, v, r) € j checkDup(T) | do 

4: win •«- win U (<p, v, r) if (-.u) 

5: while fwzn] ^ - [winj r ^ 0 IjJ / do 

6: win •«— win \ argmax.^ 

7: end while 

8: val •«— € {_winy-T t' — t ^ I 

9: output('(/), (—ivai, t)) 

10: end for 

11: end function 


(c) Reducer for operator F/ (d) Reducer for operator G/ 

Figure 6: Reader, Mapper and Reducer algorithms. 
(Sets suba and sup^ are defined in Section 6) 


by the Ck decomposition— may be evaluated incorrectly 
if the appropriate positions are missing in the trace (see 
Example 1). Therefore, we modify the algorithm for the 
mapper (see Figure fib) to introduce one position at r -|- A 
only when the parent formula ip is a, subformula of the form 
i~=K', this condition is captured by the lazy{) predicate. The 
emitted tuple contains the tuple {ipact, -L, t-|-A) as its value. 
The mapper is stateless and cannot check if a tuple at time 
instant t-|-A already exists: it is the reducer’s responsibility 
to discard a tuple if it has a duplicate. 

Reduce phase. The reducers exploit the information 
produced by the mappers to determine the truth values of 
the superformula at each position, i.e., reducers apply the 
appropriate MTL semantics for the operator used in the su¬ 
performula. The total number of reducers running in parallel 
at the Z-th iteration is the minimum between the number of 
subformulae with height Z in the input formula <& and the 
number of available reducers'*. Each reducer calls an ap¬ 
propriate reduce function depending on the type of formula 
used as key in the received tuple. For space reasons we focus 
only on two algorithms: the one for the metric Eventually” 
operator F/ and the one for the metric Globally operator 
Gi. We refer the reader to our previous work [9] for the full 
description of all the reducer algorithms. 

Figure 6c shows the algorithm for formulae of the form 
F[(p. It uses an auxiliary boolean variable val and a queue 
win. The algorithm loops through all the tuples received 
in T, already sorted (by the shuffle and sort phase of the 
MapReduce framework) in descending order with respect to 
the time-stamps®, and with all duplicates of tuple {ipact, -L, r) 
discarded (by means of the checkDup () function). The queue 
win keeps track of all the tuples with positive truth value 
that fall in the convex union® (denoted as l+J) of the intervals 
[0, 0] and I. This is ensured by the inner while loop, which 
compares the minimal ( \_win\r) and maximal ([ win"\r) time- 

^This depends on the configuration of the cluster. Typically, 
the number of reducers is the number of nodes in the cluster 
multiplied by the number of cores available on each node. 

® Sorting intermediate tuples is called secondary sorting and 
for simplicity we omit the implementation details. 

®A convex union of intervals is defined as a convex hull of 
the union of the intervals. 








Atoms: {p} {p} {<?} {P> <?} { p , q }{( 1 } { q } 
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Figure 7: Evaluation of the Jl4(l2p{^)) = F[ 3 _ 4 ](p) V 
F [4 4 ] (F[o, 3 ] (p)) formula under MTLl semantics. 

stamp in the queue and keeps removing the maximal tuple 
(argmax^(wm)) until the loop condition is satisified. The 
final truth value o{ ficp depends on whether the queue win 
contains a tuple with a time-stamp t' that is in the interval 
I. Notice that the size of the queue win depends directly on 
the size of the interval I and hence the memory scalability 
of the algorithm on individual nodes depends on the size of 
the intervals in formula < 1 >. 

The reducer algorithm in Figure fid implements the se¬ 
mantics of formulae of the form The code is similar to 
the one for the operator F[. The only difference is that the 
queue win keeps track of all the tuples with negative truth 
value; hence, the truth value of Gicp depends on whether the 
queue win contains a tuple in the interval I that is a witness 
to the violation of 

Examples of application of the algorithm. 

Let us use our algorithm to evaluate the formula <I> from 
Example 1 on the same trace using MTLp semantics. In 
the read phase the algorithm parses the trace in parallel 
and creates the input tuples for the map phase. From the 
first element ({p}, 1) the InputReader creates only the tuple 
(p, (T, 1)) since <1> refers only to atom p. Tuples (p, (T, 1)), 
(p,(T,2)), (p,(T,4)), (p,(T,fi)), (p, (T, 8 )), (p,(T,9)), 

(p, (T, 10)) are thus received by the map phase. The Mapper 
associates the formulae from the input tuples with their su¬ 
performulae. In the case of tuple (p, (T, 1)) it generates only 
tuple (F[ 3 _ 7 ](p), (p, T, 1)) since F[ 3 ^ 7 ](p) is the only superfor¬ 
mula of p. The Reducer phase, therefore, receives tuples 
(F[3,7](p), (p, (^, 10))), (F[3,7](p), (P, (±,9))), 

(F[3.7](p),(p,(T,8))), (F[3,7](p),(p,(T,6))), 

(F[3,7](p), (p, (^,4))), (F[3,7](p), (p, (T, 2 ))), 

(F[ 3 , 7 ](p), (p, (T, 1))), all shuffled and sorted in a descend¬ 
ing order of their time-stamps. Since all the tuples have the 
same key only one reducer is needed. The reducer applies the 
algorithm shown in Figure fic and outputs the truth values 
of Fr 3 71 (p) for every position in the trace: (Fra 71 (p), (T, 10 )), 
(F[3,7]’(p),(T,9)), (F[3,7](p),(T,8)), (F[3,7](p),U,6)), 
(F[ 3 . 7 ](p),(T, 4 )), (F[ 3 , 7 ](p),(T, 2 )), (F[ 3 , 7 ](p),(T, 1 )). Notice 
that, the boolean values in the tuples correspond to the val¬ 
ues in Figure 2 (row #4). 

Assuming again that the memory requirement of keeping 
8 positions is too demanding for our infrastructure we can 
now use parametric decomposition and lazy semantics to 
limit the upper bound of the interval in <I> to iG = 4. We 
obtain formula C4{l2p{^)) = F[ 3 , 4 ](p) V F[ 4 , 4 ] (F[o, 3 ] (p)). 

Let us evaluate formula C4{l2p{^)) on tfie same trace from 
Example 1 according to MTLl semantics. Table 7 shows 
the truth values of the emitted tuples for every evaluated 
subformulae of £,4(l2p{^)). Since h{C 4 (l 2 p{^))) = 4 the 


algorithm performs three iterations. The truth values of 
the subformulae from the different iterations are separated 
by the horizontal dashed lines. In the first iteration the 
trace is parsed to obtain the truth values of atom p. After 
that, two reducers in parallel calculate the truth values of 
the F[o_ 3 ](p) and F [3 4 ](p) subformulae. In the second iter¬ 
ation the Mapper emits the additional tpact tuples since the 
superformula is of the form F= 4 . The reducer evaluating for¬ 
mula F [4 4 ](F[o_ 3 ](p)) receives the tuples with the evaluation 
of F[o^ 3 ](p) and (fact- The pact tuples with the crossed truth 
values are discarded because since they are duplicates of the 
already existing F[o, 3 ](p) tuple shown in the row above. Fi¬ 
nally, in the third iteration we can see that the truth values 
C4{l2p{^)) (circled in Figure 7) are the same (at all positions 
in common) as the truth values of <I> shown in Figure 2. 

7. EVALUATION 

We have implemented our trace checking algorithm in 
the MTLMapReduCE tool, which is publicly available [19]. 
The tool is implemented in Java and uses the Apache Spark 
framework [2fi], which supports iterative MapReduce appli¬ 
cations in a better way than Apache Hadoop [2]. 

In this section we report on the evaluation of our tool, 
in terms of scalability and time/memory tradeoffs. More 
specifically, we evaluate our new trace checking algorithm 
by answering the following research questions: 

RQl: How does the proposed algorithm scale with respect to 
the size of the time interval used in the formula to be 
eheeked? (Section 7.2) 

RQ2: When eompared to state-of-the-art tools, does the pro¬ 
posed algorithm have a better memory scalability with 
respect to the size of the time interval used in the for¬ 
mula to be eheeked? (Section 7.2) 

RQ3: What are the time/memory tradeoffs of the proposed 
algorithm with respect to the decomposition parameter 
K ^(Section 7.3) 

7.1 Evaluation settings 

To evaluate our approach, we used six t2.miero instances 
from the Amazon EC2 cloud-based infrastructure with a sin¬ 
gle CPU core and 1 GB of memory each. We used the stan¬ 
dard configuration for the HDFS distributed file system and 
the YARN data operating system. HDFS block size was set 
to 64 MB and block replication was set to 3. YARN was con¬ 
figured to allocate containers with memory between 512 MB 
and 1 GB with 1 core. In all the executions, we limited the 
memory of our algorithm to 1 GB. 

Measuring the actual memory usage of user-defined code 
in Spark-based applications requires to distinguish between 
the memory usage of the Spark framework itself and the 
one of user-defined code. This step is necessary since the 
framework may use the available memory to cache interme¬ 
diate data to speedup computation. Hence, to measure the 
memory usage of the auxiliary data structures used by our 
algorithm (e.g., the win queue), we instrumented the code. 
This instrumentation, which has a negligible overhead, mon¬ 
itors the memory usage of the algorithm’s data structures 
and reports the maximum usage for each run. 

For the evaluation described in the next two subsections, 
we used synthesized traces. By using synthesized traces, we 
are able to control in a systematic way the factors, such as 
the trace length and the frequency of events, that impact on 
the time and memory required for checking a specific type 





of formula. In particular, we evaluated our approach by 
triggering the worst-case scenario, in terms of memory seal- 
ability, for our trace checking algorithm. Snch scenario is 
characterized by having the auxiliary data structures used 
by the algorithm always at their maximum capacity. To 
synthesize the traces, we implemented a trace generator pro¬ 
gram that takes as parameters the desired trace length n and 
the nnmber of events (i.e., atoms) m per trace element. The 
program generates a trace with n trace elements, such that 
the i-th element (with 0 < i < n — 1) has i as time-stamp 
value. Each trace element has between 1 and m events de¬ 
noted as {pi,... ,Pm}, where pi = p and the other events 
are randomly selected with a uniform distribution from the 
set {p 2 ,...,Pm}. We generated ten traces, with n set to 
50 000 000 and m set to 20; the average size of each trace, 
before saving it in the distribnted file system, is 3.2 GB. 
These traces and the other artifacts nsed for the evaluation 
are available on the tool web site [19]. 

7.2 Scalability 

The performance of onr distributed trace checking algo¬ 
rithm with respect to the length of the trace and the size 
of the formula has been already investigated in our previous 
work [9]. The same conclusions regarding these two parame¬ 
ters apply also to the new algorithm, which uses lazy seman¬ 
tics. Therefore, in this section we only focus on evaluating 
the memory scalability of the new algorithm. 

To answer RQl, we evaluate the memory usage of the 
algorithm for different sizes of the time interval used in the 
MTL formula to be checked. As discussed in Section 6, the 
largest time interval manageable in a cluster depends on the 
memory configuration of the node in the clnster with the 
least amount of memory available. Hence, we evalnate the 
memory usage on a single node by nsing formnlae of height 1. 
We consider the two metric formulae G[o_Ar]§ and Fp jv]P, 
parametrized by the value N of the bound of their time 
interval. Formula Fp.wlP refers to atom p; notice that our 
trace generator gnarantees that p is present in every trace 
element. Formula G[o,jv]<? refers to atom q; we configured 
our trace generator so that event q is absent in all trace 
elements. These two formulae exercise the trace checking 
algorithm in its worst-case. Indeed, according to line 4 in 
Figure 6c, the reducer for Fj buffers all the elements where 
atom p is true; hence, when checking formula F[o,iv]P, at any 
point in time the quene win will be at its maximum capacity. 
Dually, when checking formnla G[o,iv]9, the absence of the 
event q from the trace will force the algorithm to maintain 
the queue win at its maximal capacity (line 4 in Figure 6d). 

To answer RQ2, we need a baseline for comparison. Among 
the non-distributed, non-parallel trace checking tools for MTL, 
we selected the MonPoly [6] tool, which was the best per¬ 
forming tool supporting MTL in the “offline monitoring” 
track of the first international Competition on Software for 
Rnntime Verification [4] (CSRV 2014). However, it produced 
a stack overflow error when fed in input with the traces de¬ 
scribed above. Among distributed and parallel approaches, 
the only tool supporting MTL and publicly available is the 
one described in our previous work [9]. 

Plots in Fignre 8a and Figure 8b show the execution time 
and the memory usage required to check, respectively, for¬ 
mula G[o jv]<? and Fjg jv]P, instantiated with different values 
of parameter N. Each data point is obtained by running 
the algorithm over the ten synthesized traces and averag¬ 


ing the results. The plots colored in black show the aver¬ 
age time and memory nsage of our previous algorithm [9], 
which applies MTLp semantics. The plots colored in gray 
represent the runs of our new algorithm that applies MTLl 
semantics and decomposes all the formnlae with time inter¬ 
val N strictly greater than 30 000 000. The decomposition 
parameter AT = 30 000 000 is the maximal value that our 
infrastructure can support. 

Regarding RQl, the gray plots confirm that the new al¬ 
gorithm can check, on very large traces, formulae that use 
very large time intervals in a reasonable time (at most 200s). 
As for RQ2, the algorithm from [9] exhansts the memory 
bound of 1GB for the evalnation of both formnlae when the 
time interval N is higher than 30 000 000. Gonversely, onr 
new algorithm uses at most 1GB of memory, showing a bet¬ 
ter memory scalability. Nevertheless, you can see that the 
new algorithm becomes about 1.5-1.8x slower that the pre¬ 
vious algorithm when the time interval N is higher than 
30 000 000. This additional time is needed to process the 
new formnla obtained through the Ck decomposition. 

7.3 Time/memory tradeoffs 

As suggested at the end of the previous section, the para¬ 
metric decomposition used in the proposed trace checking 
algorithm leads to a reduced memory usage but increases 
the exeention time. In this section we dig into and general¬ 
ize this result by investigating the time/memory tradeoffs of 
our algorithm, with respect to the decomposition parame¬ 
ter K (RQ3). More specifically, to answer RQ3 we evaluate 
the execution time and the memory usage of the algorithm 
for different valnes of parameter K, when checking formulae 
G[o, 50 oooooo]g and F[o, 5 ooooooo]P- These formulae are pro¬ 
cessed using the Ck decomposition, with values of K that 
are taken from the set V = | i = 2, 3, 4,.. .}. As the 

set V is potentially infinite, we set a threshold of one hour 
on the exeention time. 

The plots in Figure 8c show the execution time and the 
memory usage to check the two formulae. Each data point 
is obtained by running the algorithm over the ten synthe¬ 
sized traces and averaging the results. The value of K is 
represented in both plots on the x-axis nsing the logarith¬ 
mic scale. The smallest value of K that satisfies the execu¬ 
tion time threshold is 1 666 666 (obtained from set V with 
i = 30); for this value of K the algorithm used 54.14MB of 
memory and took 43 minutes to complete. As you can see 
from the plots, nsing a lower valne for K decreases the mem¬ 
ory footprint of the algorithm. However, a lower value for K 
also yields a longer execution time for the algorithm. This 
longer execution time is dne to the fact that a lower value 
for K increases the size (and the height) of the formula ob¬ 
tained after applying the Lk decomposition. The increased 
height of the decomposed formnla triggers more iterations 
of the algorithm, yielding longer exeention times. There is 
clearly a tradeoff between time and memory determined by 
the value of the parameter K. A good balance is achieved 
when K is set to the largest possible value supported by 
the infrastructure: in this way, it is possible to reduce the 
size of the decomposed formula without incurring a longer 
execution time for the algorithm. However, onr algorithm is 
completely parametric in K, allowing engineers to tune the 
algorithm to be either more time- or more memory-intensive. 
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Figure 8: Scalability and time/memory tradeoffs for the proposed trace checking algorithm. 


8. RELATED WORK 

The approach presented in this paper is strictly related to 
work done in the areas of alternative semantics for metric 
temporal logics and of trace checking/run-time verification. 

Alternative semantics for metric temporal logics. 
The work closest to our lazy semantics is the one in [14], 
which proposes an alternative MTL semantics, used to prove 
that signal-based semantics is more expressive than point- 
based semantics over finite words. Despite the similarity 
between the two semantics, the definition of the Until oper¬ 
ator under our lazy semantics is more practical for the pur¬ 
pose of trace checking, since it requires the left subformula 
of an Until operator to hold in a finite number of positions. 
Reference [12] presents a revised semantics for the model 
parametric semantics (MPS) on finite domains of the TRIO 
temporal logic [21], to enable the executability of tempo¬ 
ral logic specifications. The revised semantics addresses the 
limitations of the original MPS semantics when dealing with 
formulae with bounded temporal operator. It proposes an 
interpretation of bounded temporal operators that shares 
the same intuition behind the definition of lazy semantics. 

Trace checking/run-time verification. Several ap¬ 
proaches for trace checking and run-time verification and 
monitoring of temporal logic specifications have been pro¬ 
posed in the last decade. The majority of them (see, for 
example, [7,15,17,23,24]) are centralized and use sequen¬ 
tial algorithms to process the trace (or, in online algorithms, 
the stream of events). As mentioned in Section 7.2, the 
centralized, sequential nature of these algorithms does not 
allow them either to process large traces or properties con¬ 
taining very large time bounds. In the last years there have 
been approaches for trace checking [5] and runtime verifi¬ 
cation [8, 20, 23] that rely on some sort of parallelization. 
However, they mostly focus on splitting the traces based on 
the data they contain, rather than on the structure of the 
formula. These approaches adopt first-order relations with 
finite domains to represent the events in the trace. The trace 
can then be split into several unrelated partitions based on 
the terms occurring in the relations. We consider these ap¬ 


proaches orthogonal to ours, since we focus on the scalability 
with respect to the temporal dimension, rather than the data 
dimension. As for the specific application of MapReduce for 
trace checking, an iterative algorithm for LTL is proposed 
in [3]. Similarly to the algorithm presented in this paper 
and to our previous work [9], the algorithm in [3] performs 
iterations of MapReduce jobs depending on the height of the 
formula to check. However, it does not address the issue of 
memory consumption of the reducers. Moreover, the whole 
trace is kept in memory during the reduce phase, making 
the approach unfeasibile for very large traces. 

9. CONCLUSIONS AND FUTURE WORK 

The goal of this work is to address the memory seal- 
ability issue that affects trace checking algorithms when 
dealing with temporal properties that use large time inter¬ 
vals. We have proposed an alternative, lazy semantics for 
MTL, whose properties allow for a parametric decomposi¬ 
tion of any MTL formula into an equivalent MTL formula 
with bounded time intervals. As shown in the evaluation, 
such decomposition can be used to improve distributed trace 
checking algorithms, making them more memory-efficient 
and able to deal with both very large traces and very large 
time intervals. 

One future direction is to extend lazy semantics to a ver¬ 
sion of MTL with support for first-order relations on finite 
domains, to support more expressive properties. Another 
line of future research will focus on techniques to automate 
the Ck decomposition of formulae, for example to automat¬ 
ically determine the most appropriate value for K based on 
the configuration of the available cloud infrastructure. 
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APPENDIX 

A. PROOF OF THE LEMMATA 

Lemma 1. Given an MTL formula cj> and a timed word 
uj = {a, t), for any i > 0, the following equivalence holds: 

{a, T, i) |=p (p iff (cr, r, n) \=l I2p{4>) (1) 

Proof. The lemma is proved by structural induction on 
formula (j>. Let 7 be an MTL formula. The inductive hy¬ 
pothesis is (cr, T, i) \=p 7 iff {cr,T,Ti) \=l 

1. base case 7 is p G If. 

(cr, T,i) |=p p iff p G fJi iff 3i.(0 < i < |cr| A r* = r* Ap G 
fJi) iff (a,T,Ti) \=L p. Then, we obtain (cr, r, Ti) \=l 
I2p{p), by definition of I2p. 

2 . 7 is -Kji. 

{a,T,i) \=p -'0 iff {o-,T,i) <(> iff, by inductive hy¬ 

pothesis, (cr, T, Ti) I2p{(j>) iff, by definition of I2p, 
(cr,r,ri) -'Z2p(-'(()) iff {a,T,Ti) \=l l2p(-^4>). 

3. 7 is 0 A 1 /). 

{o-,T,i) |=p (f> A Ip iff (a,r,i) |=p <I> and [cT,T,i) |=p p) 
iff, by inductive hypothesis, {a,T,Ti} \=l I2p{<p) and 
{cF,T,Ti) \=L I2p{ip) iff, (cr,T,Ti) \=L I2p(cp) A I2p(lp) iff, 
by definition of I2p, (cT,T,Ti) \=l I2p{4> A (p). 

4. 7 is (pUI^p. 

{cr,T,i) |=P 0U/1/) iff 

3i-(i < i < |cr| A Tj — Ti G / A (cr, T,j) \=p p) A 'ik.fi < 
k < j ^ {cr,T,k) \=p (p) iff, by inductive hypothesis, 
3i-(i < j < |cr| A Tj — Ti e I A (a,T,Tj) |=p I2h(tp) A 
ik.fi < k < j ^ (a,r,Tk) \=l I2p{cp)) iff 
3tj.(ti ^ tj i ^l<r| A tj ti i. I A (cr, T, \~T fpact A 
I2hf4>)) Aitk-fti < tk < tjABi.{0 < i < |cr| Att, = n) -A 
(cr,T,tk) \=L I2p{(p)) iff 

{a,T,ti) \=L l2p{ip)'Ui{'PactAl2p{ip)) iff, by definition of 
I2p 

{cr,T,ti) \=L l2p{ipUl1p). 

The lemma is proved by considering -y = (p. □ 

Lemma 2. For any timed word (cr, r) and t > 0, we have 
that 

(cj,T,t) \=L F/Fj<(> iff{(T,T,t) \=L F/ej0. (2) 

Proof. We show two cases. In the first one, both F for¬ 
mulae have left and right-closed intervals. The second one 
considers all the other combinations. 

F[a,i,](F[c,d]<(>): 

(cr,r,t) \=L F[(,,i,](F[t.,d]0) iff 

^t' .ft' > t At' — t e [a,b] A (cr, r, t') \=l ^[c,d]4' iff 
3t'.(t' >t At' e[t +a,t + h] A {cr,T,t') \=L 3t".(t" > 
t' A t" G \t' + c,t' + d] A {cr, r, t") |=p (p) iff 
3t'.{t' >t A (a, T, t') \=L 3t".(t" >t' At" e [t + a + 
c,t + b + d] A {cr, r, t") \=l <p)) iff 

^t".ft" > t At" G [t + a + c,t + b + ct]A{cr,T,t") |=p (p) 
iff 

{cr,T,t) \=L F/ 0 j((). 

F(a. 6 ) (F(c,d)^)* 

{cr,T,t) \=L Fi^a,b){F{c,d)4>) iff 

3t'.{t' > t At' — t a fa,b) A {cr, r, t') \=l ^(c,d)4> iff 
3t'.(t' > t A t' e {t + a,t + b) A {cr, r, t') \=l 3t".{t" > 
t' A t" G ft' + c,t' + d) A {cr, r, t") |=p (p) iff 
3t'.{t' > t A {cr,T,t') \=L 3t".(t" >t' At" e {t + a + 
c,t + b -\- d) A {a, T, t") \=L <p)) iff 

3t".{t" > t At" e {t + a + c,t + b + d) A{cr,T,t") |=p (p) 


iff 

{cr,T,t) \=L flSiJ<P- 

□ 

Lemma 3. For any timed word (cr, r) and t > 0, we have 
that 

(cr, r, t) \=L ^icp i ^j<p iff (cr, r, t) \=l ^pjjfp, iflnJj^f). 

Proof. We prove the lemma for the case of 7 = {a,b), 

J = {c,d), as we can always rewrite intervals as left-right 
open ones. The case Fp,(,)<(> becomes F(i_6)0V <p. The case 
for unbounded intervals is similar. By J n J yf 0 we have 
both c + 1 < 6 and a 3- 1 < d which entails c < b and 
a < d. Therefore, we have that minfa, b, c, d} = minfa, c} 
and maxfa, b, c, d} = maxfb, d}. 

(cr, T, t) \=L ^i<p V Fji/) iff 

{cr,T,t) \=L ^Kp or {cr,T,t) \=l F,j(p iff 

3t'.(t' > t A t' — t e {a,b) A {cr, t, t') \=l F(a_i,)(0 or 3t'.(t' > 
t At' - t e {c,d) A {cr, r, t') |=l ^(c,d)4> iff, 

3t'.(t' > t A (ff — t G (a, 6) A {cr,T,t') \=l (pi t' — t G 
(c, d) A {cr, T, t') \=L <p) iff, as a < 6 and c < d, 

Bt' .{t' > t At' — t £ {minfa, c},min{b, d}) A (cr, r, t') \=l (p 
iff 

{cr,T,t{ \^L ^ (minta.c} ,max{b,dy)(p iff 
{cr,T,i) \=L ^IUJ(p. □ 

B. PROOF OF THE THEOREM 3 

Theorem 3 Given an MTLl formula (p, timed word (cr, r) 
and a positive constant K, the following equivalence holds: 

(cr, T, 0) \=L <p iff (cr, T, 0) Ck {(p) (3) 

and the right-hand side bound of every bounded interval in 
all temporal subformulae of Ck{<P) is less than or equal to 
K. 

Proof. We can prove this statement by showing that 
Ck{<P) can always be rewritten back to <p using lemmata 2 
and 3. Let us preform structural induction on the MTLl for¬ 
mula (p. The inductive hypothesis is (cr, t, i) \=l 8 iff (cr, r, i) \=l 
Ck{8\ Then, the theorem is proved by choosing 6 = (p 
and i = 0. In the proof we extensively use the following 
properties LJy + FJ ' ^ = Lif J ■ K + K denoted with (*); 
b— ■ K = b mod K denoted with (**); and [n-|-ej = n, 
for n G N and e G [0,1) denoted with (***). 

1. Base cases are the atoms which are not affected by the 
translation. 

2. Same holds for boolean connectives. 

3. Let 6 = f(a,b}{4>)- We need to consider three cases. 

(a) [b < K] : (cr, r, i) l=p F(„,(,)(<(>) iff (cr,r,i) 

Bj.{j — i G {a,b) and {cr,T,j) \=l (p)) which is, 
by inductive hypothesis, (cr, r, i) \=l Bj.{j — i G 

{a,b) and (cr,T,j) |=p Ck{(P)) iS {(r,T,i) \=l ^ ^a,b){l2K{<p)) 

which is, by definition of Tk, (cr, t, i) \=l Tk(F(„[,) m- 
Since b < K the right-hand side bound is less then 
or equal to K. 

(b) [K < b < \_ji + ■ K\-. Identically to (a), we have 

(cr,T,i) \=L ^{a,b){4’) iff (TT*) \=L F(„,6)(Tk(<(>)) 
by inductive hypothesis. The interval is not bounded 
hy K as K < b. By property (**), we get (cr, r, i) \=l 

F(a mod ic+ic-[^j,6—iC L^j+ic-L^j)'^rc(0) and, by Lemma 2, 
we obtain (cr, r, i) |=p ^=K.[^\{^(a mod K,b-[^\.K)i2K{<P)). 
By Corollary 1 the formula can be rewritten into 



(cr, T, ?) \^L mod 7^,6—[ ^ J-ftT) (^)) 

then, by definition of jCk we obtain (a, r, i) \=l 
Ck{4>)- By property (*) and the case assumption 
is b < + Ij • if we have that b — [■ K < K 

therefore the right-hand side bound of the interval 
is less than or equal to K. 

(c) [b > + 1\ ■ K]-. Identically to (b) we have 

(rr, T, f) \=L F(a,6) (^) iff (rr, T, f) |~n F—rr {F(a mod ic,b—[^j-ic)'^ic(0))- 

Since b > [ 5 = + Ij ■ K then b — ■ K > K. Let 

n = we can use Lemma 3 to write 

{(T,T,i) \=L f|l^''(F(„ mod K,K](<^)VF[k,2K]'Ck(</>)V 

F[2k,3k]'Ck( 0)V. . .VF[(„_i)K,„K]ifir(<?i)VF[„K,6-[Aj.K)'Cir(</>)) 
then, by Lemma 2 and property (*), we get 

(cr, T, i) \=L mod K,7r]VF=K(F[o,ir]'CK(0)V 

F[ir,2K]'Cir(<^)V. . .VF[(„_2)_K,(n-l)K]-CK(</>)VF[(„_i)x,6-[ A+IJ ■ K)^K {<!>)))■ 

The Lemma 2 is applied n times until we get 

(ct, T, i) \=L mod K,7r]VF=K(F[o,ir]^ar(0)V 

F=K(F[o,K]ifK(<?i)V. . .VF=K(F[o,ir]ifK(<i>)VF=K(F[o,i,-[^+„j.K)ifir(<?i))) • • ■)))■ 
According to properties (**) and (***) the value 
b — [;^+hJ ■ K = b mod K, which is strictly less 
than K. 

By definition of Dp (base case) we write 

\=L mod K,ar]VF=K(F[o,ir]-Car(0)V 

F=k(F[o,k]'Ck(<(>)V. . .VF=K(F[o,ir]'Car(<(>)VF=K(T’F(-Cir(<(>), K, b— 

Lf+nJ.A)))...))). 

By definition of 'Dp (recursive case) we write 

(a,T,i) \=L Fi^''(F(„ mod K,7r]VF=K(F[o,ir]'CK(0)V 

F=k(F[o,k]'Ck(<(>)V. . .VF=K(T>F(/fK(0), K, b-[-^ + 
n\-K + K))...))). 

By property (*) we write 

{(J,T,i) \=L f|l^''(F(„ mod K,ar]VF=K(F[o,ir]'Car(0)V 
F=k(F[o,k]-Ck(<(>)V. . .VF=K(T’F(-Car(0), K, b—\_-^ + 

n-lJ-A))...))). 

We apply definition of X>_f (recursive case) and prop¬ 
erty (*) n — 1 times to get 

(u, T, i) \=L Fi,-^''(F(„ njod K,K]VF=K(T>F(ifK(0),-ff, fe- 

Lf + 1 J-^)))- 

Finally, we apply the definition of Ck to obtain 

(o-,T,i) \=L Ck(^ (a,b) {'!>))■ 


□ 



